The main purpose of OpenSSO project is to provide an easy and powerful way to enable using Single Sign-On with many legacy software products, which do not support this feature natively. User identification relies on x509 certificates, which can be provided through third party CA system.

OpenSSO consists of Identity module, which acts as repository for client certificates and their corresponding users in target applications. For each target application there is an Application agent, which communicates securely with the identity module and is highly integrated with the target application. Thus, once user presents their certificate in front of any application agent, the agent itself checks it in the identity module and if there is a match – the agent sets the correct user identification for the target application.

The identity moduledoes not contain any sensitive information like security hash of user’s password, just the username/user id in the target application and x509 certificate requisites.

The identity module is written in PHP. Application agents are written in whatever language the target application is written in. The interface between the identity module and the application agents is secured using digital certificates, which provides encryption and correct identification for both sides.